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Abstract 

One-way functions are a fundamental notion in cryptography, since they are the necessary 
condition for the existence of secure encryption schemes. Most examples of such functions, 
including Factoring, Discrete Logarithm or the RSA function, can be, however, inverted with 
the help of a quantum computer. Hence, it is very important to study the possibility of quantum 
one-way functions, i.e. functions which are easily computable by a classical algorithm but are 
hard to invert even by a quantum adversary. In this paper, we provide a set of problems 
that are good candidates for quantum one-way functions. These problems include Graph Non- 
Isomorphism, Approximate Closest Lattice Vector and Group Non-Membership. More generally, 
we show that any hard instance of Circuit Quantum Sampling gives rise to a quantum one-way 
function. By the work of Aharonov and Ta-Shma [5], this implies that any language in Statistical 
Zero Knowledge which is hard-on-average for quantum computers, leads to a quantum one-way 
function. Moreover, extending the result of Impagliazzo and Luby [lOj to the quantum setting, 
we prove that quantum distributionally one-way functions are equivalent to quantum one-way 
functions. 
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1 Introduction 



One-way functions are at the core of modern cryptography. The fundamental task of cryptography 
is that of secure encryption of information against malicious parties. The existence of such secure 
encryption schemes implies that there is an efficient way of generating instances of problems together 
with some auxiliary information, such that it is easy to solve these instances with the help of the 
auxiliary information but hard to solve on average without it. 

This concept is exactly captured by the definition of one-way functions, which are the necessary 
condition for the existence of cryptography. Moreover, one-way functions have many theoretical 
applications, for example in their connections to cryptographic primitives like bit commitment and 
oblivious transfer, Zero Knowledge Proof Systems and pseudorandom generators. 

However, proving that one-way functions exist would imply that P 7^ NP and hence, we only 
have "candidate" one-way functions. Such candidate problems include Factoring, Discrete Loga- 
rithm, Graph Isomorphism, Quadratic Residuosity, Approximate Shortest Vector and Closest Vec- 
tor and the RSA function. These problems seem to belong to a class called NP- Intermediate, i.e. 
they are NP problems for which we do not know any efficient algorithm, but they don't seem to be 
NP-hard. Moreover, many of the candidate problems belong to the class of Statistical Zero Knowl- 
edge (SZK). In fact, Ostrovsky [14] showed that if SZK contains any hard-on-average problem, then 
one-way functions exist. 

The emergence of quantum computation and communication has provided the field of cryp- 
tography with many new strengths and challenges. The possibility of unconditionally secure key 
distribution shows that the laws of quantum mechanics can allow for the secure transmission of in- 
formation over quantum channels. Moreover, Shor's celebrated algorithm for Factoring and Discrete 
Logarithm implies that many classical one-way functions and hence cryptosystems, including RSA, 
will not be secure against quantum adversaries. It is a very important question to ask whether we 
can construct cryptosystems which are secure even against quantum attacks. To this end, we need 
to find good candidates for quantum one-way functions, i.e. functions which are easily computable 
by a classical algorithm but hard to invert even by a quantum adversary. 

Several other applications of quantum one-way functions have also been studied in a series of 
papers. For example, the connections between quantum one-way functions and quantum computa- 
tionally secure bit commitment schemes were explored in [5j[ll[3]. On the other hand, Gottesman 
et.al. [7J proposed a digital signature scheme based on a quantum one-way function with classical 
inputs but quantum outputs and proved the informational security of their protocol. Moreover, 
Kashefi et. al. |11] and Kawachi et. al. |12j presented a necessary and sufficient condition for testing 
the one-wayness of a given permutation in the quantum setting based on the efficiency of construct- 
ing a family of reflection operators. Recently, Watrous [16] proved that several classical interactive 
proof systems are statistically zero-knowledge against quantum attacks and showed that Compu- 
tational Zero Knowledge against quantum attacks for NP is implied by the existence of quantum 
one-way permutations. 

Despite the importance of the applications of quantum one-way functions, there had been few 
results so far that provided good candidate problems [4]. Here, we prove the quantum analogue of 
Ostrovsky's result and show that if there exists a problem in Statistical Zero Knowledge which is 
hard-on-average for a quantum computer, then quantum one-way functions exist and hence provide 
a set of problems that are good candidates for quantum one-way functions. 

The key insight in our result is the connection of quantum one-way functions to the problem 
of Circuit Quantum Sampling. Informally speaking, quantum sampling is the ability to prepare 
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efficiently a superposition that corresponds to a samplable classical probability distributions, i.e. a 
superposition whose amplitudes are the square roots of the probabilities of a classical distribution 
from which one can efficiently sample. The hardness of this task depends on the structure of the 
underlying set. For example, it is well known that being able to quantumly sample from the set 
of homomorphisms of a given input graph is sufficient to solve the notorious Graph Isomorphism 
problem. Aharanov and Ta-shma |2j have introduced this framework of circuit quantum sampling 
and have shown that many problems in quantum computation, including Graph Isomorphism, 
Discrete Logarithm, Quadratic Residuosity and Approximate Closest Lattice Vector (CVP), are all 
instances of it. 

We relate the problem of quantum sampling to quantum one-way functions by giving a simple 
proof that any hard instance of the quantum sampling problem implies the existence of a quantum 
one-way function. We first prove our results for the case of one-to-one one-way functions, the 
existence of which seems to be a stronger assumption than that of general one-way functions. 
Then, we generalize our results for many-to-one one-way functions. We show that a hard instance 
of the CQS problem implies a quantum distributionally one-way function and then prove that a 
quantum distributionally one-way function implies a quantum one-way function. The notion of 
classical distributionally one-way function was introduced by Impagliazzo and Luby in [10] . where 
they also prove its equivalence to classical one-way function. 

Aharonov and Ta-Shma showed that any Statistical Zero Knowledge language (SZK) can be 
reduced to a family of instances of the CQS problem. Using our result that a hard instance of CQS 
implies the existence of a quantum one-way function, we conclude that if there exists a language 
in Statistical Zero Knowledge which is hard-on-average, then quantum one-way functions exist. 

2 Preliminaries 

In this section we provide a brief overview of classical one-way functions and quantum computation. 
For an excellent exposition on quantum computation we refer the reader to |13j and for one-way 
functions to [6]. 

2.1 Classical one-way functions 

Definition 1 A function f : {0, 1}* — > {0, 1}* is a weak one-way function, if the following condi- 
tions are satisfied: 

(i) easy to compute: / can be computed by a polynomial size classical circuit. 

(ii) slightly-hard to invert: There exists a polynomial p(-) such that for any probabilistic polyno- 
mial time algorithm I and for all sufficiently large n £ N we have 



A classical weak one-way function / is defined in terms of a uniform family of functions f n , 
one for each input length n. The inverter / of the function takes as input the value f(x) and the 
size n in unary. For simplicity, in the following definitions we omit the parameter n. One can also 
assume, without loss of generality that the function /, is length regular i.e. for every x,y E {0, 1}*, 
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if |x| = \y\ then \ f(x)\ = |/(y)| and length preserving i.e. for every x G {0,1}*, = \x\ (for 

proof see [6]). 

Intuitively, the above definition of a weak one-way function says that the function is easy to 
compute but the probability that any algorithm fails to invert it, is not negligible as Condition (ii) 
can be equivalently written in the following form: 

1 Prob[/(/(x),l")0rH/(*))]>-^- 

Of course, such a definition seems to be very weak. One can define another type of one-way 
function, called strong one-way function, where we require that any algorithm inverts the function 
with negligible probability, where Condition (ii) will be replaced as follows: 

i- £ Prob[/(/(x),l")e /-!(/(*))] <-L. 

a;G{0,l}™ P ^ ' 

However, the two definitions are known to be equivalent both in the classical and quantum setting 
[6l [11], meaning that if a weak one-way function exists then a strong one-way function also 
exists. Hence, it suffices to work with the weaker but equivalent notion of weak one-wayness given 
in Definition [TJ 

Furthermore, Impagliazzo and Luby [TO] defined a seemingly weaker notion of one-wayness 
for many-to-one functions, called distributionally one-way function, and proved that, in fact, the 
existence of a distributionally one-way function implies the existence of a one-way function. 

Definition 2 A function f : {0, 1}* — > {0, 1}* is a distributionally one-way function, if the follow- 
ing conditions are satisfied: 

(i) easy to compute: / can be computed by a polynomial size classical circuit. 

(ii) hard to sample: There exists a polynomial p(-) such that for any probabilistic polynomial time 
algorithm S and for all sufficiently large n E N, the distribution defined by (x,f(x)) and 
the distribution defined by (S (f (x)) , f (x)) are statistically distinguishable by (i.e. have total 
variation distance) at least when x € {0, l} n is chosen uniformly. 

2.2 Quantum Computation 

Let H denote a 2-dimensional complex vector space, equipped with the standard inner product. We 
pick an orthonormal basis for this space, label the two basis vectors |0) and |1), and for simplicity 

identify them with the vectors ( J \ and ( ^ J , respectively. A qubit is a unit length vector in 

this space, and so can be expressed as a linear combination of the basis states: 

ao|0)+ai|l) = ( 00 

Here ao,ai are complex amplitudes, and |ao| 2 + l a i| 2 = 1- 

An m-qubit system is a unit vector in the m-fold tensor space H ® • • • ®H. The 2 m basis states 
of this space are the m-fold tensor products of the states |0) and |1). For example, the basis states 
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of a 2-qubit system are the 4-dimensional unit vectors |0) (g) |0), |0) (g) |1), |1) &) |0), and |1) (8> |1). 
We abbreviate, e.g. , |1) (g> |0) to |0)|1), or 1 1 , 0) , or |10), or even \2) (since 2 is 10 in binary). With 
these basis states, an m-qubit state |c/>) is a 2 m -dimensional complex unit vector 

10) = ai ^- 
«e{o,i} m 

We use (4>\ = \(j))* to denote the conjugate transpose of the vector \<f>), and (</> , i/j) = ■ \ip) for 
the inner product between states \<p) and \ip). These two states are orthogonal if (<p , ip) = 0. The 
norm of |0) is \\4>\\ = \/\(4> , 4>)\- 

A quantum state can evolve by a unitary operation or by a measurement. A unitary transfor- 
mation is a linear mapping that preserves the li norm. If we apply a unitary U to a state \(f>), it 
evolves to U\cf)). 

The most general measurement allowed by quantum mechanics is specified by a family of positive 
semidefinite operators Ei = M*Mi, 1 < i < k, subject to the condition that Yli^i = A 
projective measurement is defined in the special case where the operators are projections. Let 
\4>) be an m-qubit state and B = {|&i), . . . , |&2 m )} an orthonormal basis of the m-qubit space. A 
projective measurement of the state \4>) in the B basis means that we apply the projection operators 
Pi = \bi)(bi\ to \4>). The resulting quantum state is \bi) with probability Pi = \(<fr , h)\ 2 . 

2.3 Quantum Sampling 

Let {Ci} be a uniform classical circuit family and for every input size n define Dc n to be the 
distribution over outputs of the circuit C n : {0, l} n — > {0, l} m when the input distribution is 
uniform. Denote by \C n ) = J2 z <={o i} m V 'Dc n {z)\z) , the quantum sample of outputs of C n . 

Definition 3 Given a uniform family of classical circuit {Cj} and a real number < e < \, define 
QSc to be an efficient quantum circuit which for any sufficiently large input size n, prepares a state 
that is e-close to the quantum sample \C n ) , i.e. \(QSc{\0), l n ) , |C n ))| 2 > 1 — e. 

The problem of finding such a quantum circuit QSc for any given uniform family of classical 
circuits {C{\ was introduced by Aharanov and Ta-shma in [2J, as the Circuit Quantum Sampling 
Problem (CQS). In fact, they defined CQS as HQScdO), l n ) — |C n )|| < e, however both definitions 
suffice for the proof that Statistical Zero Knowledge reduces to a family of instances of the CQS 
problem. We say that the quantum sampling problem for {C{\ is hard if there exists no efficient 
QS for any constant e E [0, 1/2]. 

3 Definitions of quantum one-way functions 

A quantum one-way function is defined similarly to the classical case, where now the inverter / is 
a polynomial size uniform quantum circuit family. For simplicity, we follow again the convention 
of omitting the parameter of the input size n. 

Definition 4 A one-to-one function f : {0, 1}* — > {0, 1}* is a weak quantum one-way function, if 
the following conditions are satisfied: 

(i) easy to compute: / can be computed by a polynomial size classical circuit. 
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(ii) slightly-hard to invert: There exists a polynomial p(-) such that for any quantum polynomial 
time algorithm I and all sufficiently large n G N we have 

1 £ Prob[I(f(x))ef-\f(x))]<l--J- 

In the quantum case, the probability of success of the inverter I is defined as the square of the 
inner product between the outcome of I and the outcome of the perfect inverter P, where 

P:\f(x))\P)~\f(x))\x®0). 

In other words, for the case of one-to-one functions 

Prob[/(/(x)) G f- 1 (f(x))]=Pmb[I(f(x)) = x} = |(/(|/(x)>|/3» , \f(x))\x /3»| 2 . 

As said before, one can also define another type of quantum one-way function (strong quantum 
one-way function) , where we require that any quantum algorithm inverts the function with negligible 
probability (instead of just failing with non-negligible probability). However, similar to the classical 
case, if there exists a weak quantum one-way function (Definition Hj) , then there exists a strong 
quantum one-way function as well [6j[8l[TT]. In this article, one-way function means a weak one-way 
function if not stated otherwise. 

We now provide an alternative definition for a one-to-one quantum one-way function, which 
is more suitable for constructing the relation between quantum one-way functions and the CQS 
problems and prove the equivalence of the two definitions. 

Definition 5 A one-to-one function f : {0, 1}* — * {0, 1}* is a weak quantum one-way function if: 

(i) f can be computed by a polynomial size classical circuit. 

(ii) There exists a polynomial p(-) such that there exists no quantum polynomial time algorithm 
I' with the property that for all sufficiently large n £ N we obtain 

I' : \f(x))\0) ~ a f(x) \f(x))\x ®0) + b f(x) \f(x))\G f{x) ) , (1) 

where G/^) is a garbage state, ^ X^e{o i}« a /(x) — ^ ~ an ^ a f{x) are positive real num- 
bers. 

It is clear that definition implies definition [5] and we also prove the converse. 

Theorem 1 If a one-to-one function f is weak quantum one-way according to definition^ then 
it is also weak quantum one-way according to definition^ 

Proof. Let / : {0, 1}* — * {0, 1}* be a quantum one-way function according to definition 
Assume for contradiction that this function is not one-way according to definition [H Then, for all 
polynomials p(-) there exists a quantum polynomial time algorithm I with the property that for 
all sufficiently large n £ N 

^ £ Prob[/(/(z))erV(z))]>l--^, 
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or equivalently 



I:\f(x))\P)^c m \f(x))\x®0)+d m \^ f(x) ), (2) 

where \ipf( x )) is a garbage state and ^ J2 x ^{o i}n l c /(x)| 2 > 1 ~~ Without loss of generality 

we can assume that cy( x ) are real numbers since it is well known that any quantum circuit with 
complex amplitudes can be replaced by another circuit with one more qubit and real amplitudes. 
We use this inverter to construct the following unitary that achieves the positive amplitudes. For 
clarity, here and in subsequent places in the paper we only show the unitary construction for the 
case where the ancilla registers are set to |0), unless the general ancilla state is required for the 
construction. It is clear of course how to unitarily extend the |0) ancilla to the other basis states. 

|/(x))|0)|0)|0) -(gnoth.8 |/(x))|0)|/(x))|0) 

~^h,2 (cf(x)\f(x))\x) + d f(x) \i; f{x) ))\f(x))\0) 



*hA c 2 f(x) \f(x))\x)\f(x))\x) + c fix) d f(x) \f(x))\x)^ fix) ) + 

d f(x)C f ( x )\^f( x ))\f(x))\x) + d 2 f{x) 

►(CNOT)i, 8 (CNOT) a ,4 c2 f( x )\f( x ))\ x )\°)\°) + b f(x)Wf( x) ) 



where Wft x \) is the new garbage state, orthogonal to the ideal state |/(x))|x)|0)|0) and by the fact 
that the average of the squares is larger than the square of the average we have 

2^ Sxe{0,l} n C /(:r) - (2^ SxG{0,l} n ° 2 f{x)) 2 — ~~ pln)^ - 1 ~ ^(nj ' 

Hence we have a new inverter 

r : \f(x))\P)^a fix) \f(x))\x®P)+b fix) \^ f{x) ), (3) 

with Ylxe{0 l}" a< f(x) — 1 — ^) an< ^ a f(x) = c "f(x) being positive real numbers. Finally, we can 
obtain the required form of the garbage state: 

l/0*0>|o>|o) - ( cnot) 12 1/0*0)1/0*0)10) 

-/^ 3 a f{x) \f{x))\f(x))\x)+b f{x) \f{x))W f(x) ) 
-^(ONOT)i >a af(x)\f(x))\0)\x) + b f{x) \f(x))\G f{x) ) . 

We reached a contradiction and therefore the function / is one-way according to definition [H Note 
that for simplicity of presentation we dropped the |0) registers that are constant for all x. □ 



The important aspect of Theorem [T] is the positivity of the amplitude cifM in the definition 
of the inverter algorithm I'. We will use this fact in order to relate one-way functions and circuit 
quantum sampling. 

In the standard definition, a many-to-one function is called one-way if there exists no inverter 
that outputs with high probability an arbitrary preimage of f(x). For many-to-one functions, 
Impagliazzo and Luby [10] defined a seemingly weaker notion, the distributionally one-way function. 
In this case, an inverter is required to output a random preimage of f(x) and not just an arbitrary 
one. However, they prove that, in fact, the existence of a distributionally one-way function implies 
the existence of a one-way function. We also define quantum distributionally one-wayness for 
many-to-one functions and will prove its equivalence to the quantum one-way functions. 
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Definition 6 A many-to-one function f : {0, 1}* — ► {0, 1}* is a quantum distributionally one-way 
function, if the following conditions are satisfied: 

(i) f can be computed by a polynomial size classical circuit. 

(ii) hard to invert: There exists a polynomial p(-) such that for any quantum polynomial time 
algorithm S and all sufficiently large n £ N we have 

Yn E I(W(X)>|0», \f(x))\H m ))f<l--L-, 

xe{o,i} n py ' 

where \H f{x) ) = J= m j ] £„<=/-! (/(,)) l*>- 

Note that one could potentially consider different definitions for quantum distributionally one-way 
functions, for example the quantum inverter could return a superposition with equal amplitudes 
but different phases. We believe that our quantum definition captures the essence of the classical 
one and moreover, we only use the above notion as an intermediate step in our proofs. Similar to 
the case of one-to-one functions we also give an equivalent definition 

Definition 7 A many-to-one function f : {0, 1}* — > {0, 1}* is a quantum distributionally one-way 
function if: 

(i) f can be computed by a polynomial size classical circuit. 

(ii) There exists a polynomial p such that there exists no quantum polynomial time algorithm S' 
with the property that for all sufficiently large n E N we obtain 

S' : |/(x))|0) ^ a f{x) \f(x)}\H f{x) ) + b f{x) \f{x))\G f(x) ) , (4) 

where \Gf^) is a garbage state, ^ X^xe{o i}™ a /0) — 1 — pin)' a f( x ) are P os ^ ve rea ^ numbers 
and\H f{x) ) = Vlf J (f{x))l Z x ef-Hf(x))\x)- 

We can easily extend the above algorithm S' into a unitary operation by mapping every other basis 
state \ f{x))\f3) to \f{x))\T^, where the set {\Hf^),Tj^ x y . . . ,T^T 1 } is any orthonormal basis. 
Following the same steps as in the proof of Theorem [1] we have 

Theorem 2 If a many-to-one function f is quantum one-way according to definition^ then it is 
also quantum one-way according to definition^ 

4 Circuit quantum sampling and one-way functions 

In this section, we show that hard instances of the Circuit Quantum Sampling problem are good 
candidates for quantum one-way functions. 
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4.1 One-to-one one-way functions 

We first focus our attention to the case of one-to-one one-way functions. The existence of one-to-one 
one-way functions is a seemingly stronger assumption than that of the existence of general one- 
way functions, since a one-way function doesn't immediately imply a one-to-one one-way function. 
However, this case illustrates the main ideas of our construction. In the following sections, we 
generalize our results for the case of many-to-one functions. 

Theorem 3 Assume for a classical circuit family {C n }, which computes a one-to-one function, 
the corresponding CQS problem is hard , i.e. there exists no efficient quantum circuit implementing 
QSc- Then the function f : {0, 1}* — > {0, 1}* which is defined for every input size n as f n : x \—* 
C n (x) is a quantum one-way function. 

Proof. For clarity, we are going to omit the parameter of the input size n from the inverter. 
Since, the circuit is efficient, one can implement the unitary map 

Uf.\x)\0)^\x)\f(x)), (5) 

The theorem follows by proving the contrapositive. Assume that / is not a quantum one-way 
function. Then according to definition [5J for every polynomial p there exists a quantum circuit I' 
which succeeds in approximately inverting /, i.e. for all sufficiently large n S N we have 

I' : \f(x))\f3) ' * a f{x) \f(x))\x © 0) + b f{x) \f(x))\G f{x) ) , (6) 

where \Gf^) is a garbage state, ^J2x a2 f(x) > 1 — an d the a/^'s are positive. Now, from 
equations [5] and M we have 

|x>|0) -e,, \x)\f(x)) 
"^SWAP \f(x))\x) 

-i' a f{x) \f(x))\0) +b f(x) \f(x))\G' m ) . 
Starting with a uniform superposition of x 6 {0, l} n we have 

2^5 E i*>i°> - ^Ec°/(«)i/( a )>i >+ 6 /wi/( a )>i^/(«)>) = io»>- 

a'G{0,l}" x 

We claim that the above circuit that on input (|0), l n ) outputs \Q n ) is a quantum sampler for 
C. Let \C n ) = Ylx l/( x ))|0) be the quantum sample of the circuit C, then 

\(Qn\c„)\ 2 = I^E°/(»)l a ^ l^rE a /(,)l 2 > C 1 - Vp(")) a > i-c, 

where e = — ^^y- This is a contradiction to C being a hard instance of the CQS problem and 
hence / is a quantum one-way function. □ 
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4.2 Many-to-one one-way functions 

The previous section dealt with the case of one-to-one one-way functions. Here, we generalize our 
results to the case of many-to-one functions. We show that the existence of a hard instance of 
CQS problem, where the circuit family {C n } is many-to-one, implies the existence of a quantum 
distributionally one-way function. In the next section we prove that a quantum distributionally 
one-way function implies a quantum one-way function. 

Theorem 4 Assume for a classical circuit family {C n }, which computes a many-to- one function, 
the corresponding CQS problem is hard , i. e. there exists no efficient quantum circuit implementing 
QSc- Then the function f : {0, 1}* — ► {0, 1}* which is defined for every input size n as f n : x i— ► 
C n (x) is a quantum distributionally one-way function. 

Proof. Since the classical circuit is efficient one can implement the unitary map 

U f :\x)\0)^\x)\f(x)). 

Assume that / is not a quantum distributional one-way, then according to definition [7] for every 
polynomial p there exists a quantum polynomial time algorithm S' which succeeds in approximately 
implementing a sampler for /, i.e. for all sufficiently large n € N we have 

S' : |/(s))|0) h+ a m \f(x))\H f{x) ) + b m \f(x))\G f(x) ) , (7) 

where ^ X^e{o i}« a /(z) > 1 — an d the o/^j's are positive. Note that one can unitarily extend 
the S' to apply over any state of the form \f(x))\@) with ^ 0. Using the above unitaries, we can 
construct a quantum sampler QSc that for every input n constructs a quantum sample for C n : 



E ^>i»> = E vir wf ) " i%„>io> 

ze{o,i}' 1 fix) 



/(*) 







2 n/2 






2 n/2 






2 n/2 




-H/(z))l 



/(*) 



>SWAP ^ V ~ on V / 2 V — l/(g))lg/(x)) 



E on/2 ( + 6/(-)l/(*)>|G/ (al )» = I0n> 

/(*) 



The quantum sample for the circuit C n is \C n ) = "^^ — 2^ \f( x ))\ty- Similarly to the 

proof of Theorem 

\in \r \i 2 - iv \r\fMA n , j 2 

I 1 ^ |2 

— 1 2^ Z^xe{o,i} n a f(?)\ 

> |J_V n 2 I 2 

- I 2" 2^xG{0,l} n "/(a:) I 

> (l-l/p(n)) 2 > 1-e, 

where e = — p H( w ) • This is a contradiction and hence, / is a quantum distributionally one-way 
function. □ 



10 



4.3 From quantum distributionally one-way functions to quantum one-way func- 
tions 

In the classical setting, Impagliazzo and Luby [10] proved that the existence of a distributionally 
one-way function implies the existence of a one-way function. In this section, we describe the main 
ideas of their construction and show how to prove the equivalent result in the quantum setting. 

Theorem 5 If there exists a quantum distributionally one-way function then there exists a quantum 
one-way function. 

4.3.1 The Impagliazzo and Luby construction 

Let / : {0, 1}* — * {0, 1}* be a candidate distributionally one-way function. Then, there exists a 
function g such that an inverter / for g implies the existence of a sampler S for /. Let us fix the 
size of input to n, this can be done as we are working with a uniform circuit family. More precisely, 
Impagliazzo and Luby showed that if there exists an inverter / for g that succeeds with probability 
1 — 5 2 /n, then there exists a sampler S for /, such that the distributions (S (f (x)) , f (x)) and 
(x, f{x)) are 0(<5)-close in total variation distance (5 is the inverse of a large polynomial). Without 
loss of generality, the inverter for g outputs _L when it's given as input something which is not in 
the image of g. 

Now, let us try to describe the main ideas of their construction. First, assume that for a given 
f{x) we know the size of the preimage \ f~ 1 {f{x))\ and let k = [log |/ _1 (/(x))|J + O(logn). We 
define the function g as 

g(x, h k ) = (f(x), h k , h k (x)) . 

In other words, g takes as inputs an x and a random string h k which can be thought of as a random 
universal hash function h k ■ {0, l} n — * {0, l} k . The output of g is the value f(x), the random 
universal hash function and the output of the hash function on x. 

There are two observations to be made about the hash function. First, since the range of the 
hash function is slightly larger than the number of x's in the preimage of f(x), with high probability 
the mapping x ^ h k (x) for {x G f \f( x ))} is a one-to-one mapping. This implies, that if we 
could pick uniformly an element from the set {h k (x)\x G f -1 (/(x))} then the inverter of g on input 
(f(x), h k , h k {x)) would return a uniform x G / _1 (/(x)). 

Second, it's indeed possible to pick a uniform element of the set {h k {x)\x G Since 
the range of the hash function is not too much larger than the size of the preimage of f(x), if we 
pick a random element r k G {0, l} fc , then with non negligible probability it holds that r k = h k {x) 
for some x G f~ 1 (f(x)). By repeating the process a polynomial number of times, we can achieve 
high success probability. 

The above two properties enable one to prove that, when one knows the size of the preimage of 
f(x), the following procedure is a sampler for f(x): 

Partial Sampler PS(f(x),k) 

Repeat a polynomial number of times 

Pick a random hash function h k and r k G {0, l} k . 

If I(f(x),hk,r k ) then output it and exit. 
Output _L . 
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The remaining issue is that the sampler doesn't know the size of the preimage of f(x). Suppose 
we pick the range of the hash function to be much larger than the actual size of the preimage of 
f(x). Then the above sampler outputs _L with very high probability. However, conditioned on it 
producing an output x, then this x is still almost uniformly distributed in {f~ 1 (f(x))}. This is 
true since the hash function randomly hashes values of x to a much larger range, and 

therefore, the mapping is with very high probability one-to-one. 

Hence, we can construct a sampler for / by starting with the largest possible value for the range 
of the hash function and keep decreasing it until there is an outcome: 

Sampler S(f(x)) 

For j = n + O(logn) to O(logn): 

If PS(f(x),j) 7^_L output it and exit. 
Output _L . 

Impaglazzo and Luby show that the overall errors of the sampler S are at most 0(5), i.e. inverse 
polynomially small. Their analysis is based on the following claims proved in |10j: 

1. The errors from the fact that the hash function hk is not truly one-to-one are negligible for 
all values j > k. 

2. Since the inverter for g is not perfect, the sampler doesn't work for every f(x) but for f(x)'s 
that correspond to at least a (1 — 5) fraction of the x's (we call such f(x) 'good'). This is 
sufficient, since the total error from the rest of the inputs is at most 0(5). Moreover, for these 
'good' f(x)'s the inverter I of g succeeds with probability (1 — 0(5)). 

3. In the case of a 'good' f(x), if the sampler produces an output for a j > k, then this x is 
guaranteed to be almost uniform (i.e. the distributions (S(f(x)),f(x)) and (x,f(x)) have 
0(5) total variation distance). 

4. In the case of a 'good' f(x), the probability that the sampler actually produces an output for 
j > k is, in fact, very close to 1 (i.e. 1 — 0(5)). 

We will also need the following precise lemma from [10] 

Lemma 1 fW$ Let pj be the probability that the Partial Sampler PS(f(x),j) produces a legal 
output. Then, for all j > k = [log \f~ 1 (f(x))\\ + logra 



4.3.2 The construction of the Quantum Sampler 

Here, we reproduce the Impagliazzo and Luby construction in the quantum setting. Most of the 
analysis remains the same and hence we do not repeat all the details, however we highlight the 
places where the analysis differs. 

As before, let / : {0, 1}* — * {0, 1}* be the candidate quantum distributionally one-way function, 
fix the input size to be n, and define g(x, hk) = (f(x), hk, hk(x)). Assuming that we have a quantum 
inverter / for g, our goal is to construct a quantum sampler for /, namely the following unitary 




QSampler: \f(x))\0) ^a f{x) \f(x))\H f(x) )+b f{x) \G f{x) ), 
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where £ Ex G {o,i}" a /W ^ 1 " and \ H f{x)) = ^ lf -i (f{x))] Sxe/-i(/(*)) l x )- 

Similar to the classical case, we restrict ourselves to 'good' f(x)'s. First, we assume that for 
a given f(x) we know the size of the preimage \f~ 1 (f(x))\ and k = [log |/ _1 (/(x))|J + O(logn). 
The following unitary operations are the quantum equivalents of picking a random universal hash 
function hk and a random string r k G {0, l} k and are efficiently constructible: 

Q : |fc>|0>->|*)-J=X> fc ) , B : |fc)|o) ^ J_ E |r fe ), 

where H is the number of possible universal hash functions h k : {0, l} n — > {0, l}^. From what 
follows we drop the above normalization factors. 

Let us, now, define a perfect inverter / for g. The inverter, given an input (f(x),h k ,h k (x)), 
such that there exists a unique x G f~ 1 (f{x)) mapped to h k (x), always returns x and given an 
input {fix), hk, Sk), such that there is no x G f~ l {f{x)) mapped to Sk, returns an "error" symbol. 

\f(x))\h k )\h k (x))\0)\0) - \f(x))\h k )\h k (x))\x)\0) 
|/(*)>|/*>k>|0)|0) - |/(s)>|fc fc >|s fc >|0)|l) 

The last register- input to I acts as the "error flag". Note first, that by the analysis of [TO] 
the errors from the fact that h k may not be one-to-one are small. Also, the inverter of g is not 
guaranteed to be perfect but only work with probability 1—0(6), but these errors are also small (i.e. 
inverse polynomially small). For clarity of exposition, in our description of the quantum sampler 
we are going to use the perfect inverter of g and assume that hk is a one-to-one mapping. 

Last, recall that hk is an efficient hash function and hence, having \h k ) and \x) one can efficiently 
compute \hk{x)) and construct the following unitary: 

T : \h k )\h k (x))\x) - \h k )\0)\x). 

We are now ready to define a partial quantum sampler for f(x), when we know the size of its 
preimage. Denote by Pkj(x) the probability that the perfect inverter would return a legal output 
for given values of f(x) and k. In the following, we drop the second subscript and have pk = Pkj(x)- 

Partial Quantum Sampler PQS(f(x),k) 

|/(x))|fc>|0>|0>|0)|0) 

h k ,r k 

h - 5 ' 6 VP~k\f{x))\k) £ \h k )\h k {x))\x)\Q) + Jl^ k \f(x))\k) J2\hk)\s k )\0)\l) (ii) 

h k ,h k (x) h k ,s k 

T - 5 y/Ph\f(x))\k) E 1^)1°) E l*>l°> + V^V~k\f{x))\k) e \hk)\s k )\m) (i") 
hk xef- 1 (f(x)) h k ,s k 



p- k \f{x))\k)\m\H f[x) m + y/T^\f(x))\k)\G f{x)>k )\i) , h 



1 In fact, similar to the classical case one has to use a polynomial number of independent universal hash functions 
instead of one. 
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where \Hf^} = , = Yl x ef- 1 (f(x)) \ x )- ^ n ^ ne nrs ^ s ^ e P) we construct a uniform superpo- 

sition of all possible hash functions h k and random strings r k G {0, l} fc . In the second step, we 
perform the Inverter of g. Assuming that the inverter is perfect and the mapping x i— ► h k (x) is 
truly one-to-one, then the state is exactly the one in (ii). The first term corresponds to the strings 
r k G {0, l} fe such that = hk{x) for a unique x G and this happens with probability 

Pfc. The second term corresponds to the rest of the strings. In the third step, we uncompute hk(x) 
and in the last step we uncompute the superposition of h k . The final state in the perfect case 
consists of two terms. The first one is \f(x))\k)\Hf^), where the third register contains a uniform 
superposition of the preimages of f(x) and the second term denotes that the Sampler has failed 
("error flag" register is 1). The norm of the first term is p k , which is the probability that the 
inverter outputs a legal output for the given values k, f(x). 

Our partial quantum sampler imitates exactly the Impagliazzo and Luby one and hence their 
analysis implies exactly that conditioned on our sampler not failing, the actual state produced at 
the end is very close to the state \f(x))\k)\Hf< x \). Moreover, since we picked k = [log\f^ 1 (f(x))\\ + 
O(logn) the norm {p k ) of the term \f(x))\k)\Hf^) is not negligible. 

Though the classical and quantum partial samplers seem identical, there is, in fact, a difference. 
In the above procedure, for superposition inputs, different values of \k) and |/(x)) get entangled 
and so the naive way of implementing the classical sampler S(f(x)) as a quantum circuit will 
fail. This can be overcome by applying the classical procedure in a "clean" way i.e. garbage-free 
where the garbage in this case is the \k) register. However, since the classical procedure consists 
of a "While Loop" (a loop with an exit command) the procedure of un-computing the garbage is 
more demanding than the usual case where one deals with a "For Loop". To do so, instead of 
implementing the while loop of the classical algorithm we prepare a weighted superposition of all 
k's as an ancilla register which then leads to our garbage-free quantum sampler. 

First we construct a partial ancilla preparation circuit for the case where the value of k is 
known. Basically, we apply our partial quantum sampler twice in order to "clean" the register that 
contains \Hf^), while copying the "error flag" in between. 

Partial Ancilla Preparation, PAP(f(x),k) 

|/(*)>|fc>|0)|0)|0) 

^p- k \f(x))\k)\H f{x) )\0)\0) + ^T^ k \f(x))\k)\G f{x) , k )\l)\0} 
^p- k \f(x))\k)\H f{x) )\0)\0) + y/T^\f{x))\k)\G f{x)>k )\l)\l) 
v^(v^l/(^))l^)|0)|0) + yr^|/(x))|A ; )|G / ))|0) + 
yr 3 ^(yr 3 ^l/W)|A;)|0)|0) + v ^|/(x))|A : )|G"))|l) 

|/(a;))|fc)|0)|0)(p fc |0) + (l-p fc )|l)) + 

VPk(l-PkW(x))\k)\G')\0) + |/(*)>|*>|G">|1» • 

We rewrite the transformation PAP(f(x),k) by adding a flag register that is 1 when the third 
register is not |0) and also for clarity we do not write the third the fourth registers 

PAP(f(x),k) : |/(aO)|fc>|0>|0> ~ |/(x))|fc)(p fc |0) + (1 -p fc )|l)) |0) + |G /(x))fc >|l) . 



PQS(f(x),k) 
(ctrl-NOT) 4 , 5 
PQ5(/(x),fc)t 
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We now describe a circuit for the ancilla preparation when we start our algorithm for a large 
value of k and decrease it at each step by one. For clarity, the quantum registers contain the values 
n to 1 instead of n + O(logn) to O(logn) which are the real values for which the Sampler is run. 
Furthermore, all the operations are controlled by the "error flag" being the last register. 

Ancilla Preparation AP(f(x)) 

|/(x))|n)|0)|n-l)|0)---|l)|0)|0) 

|/(x))|n) (p n |0) + (1 - P n)\l)) \n - 1)|0) ■ ■ ■ |1)|0)|0) + |G)|1) 
|/(x))|nK|0)|n-l)|0)---|l)|0)|0) + 

|/(x))|n)(l - p n )\\)\n - 1) (p„_i|0) + (1 - p n -i)\l)) ■ ■ ■ |1)|0)|0) + 

|/(x))|nK|0)|n-l)|0)---|l)|0)|0) 
|/(x))|n)(l-p n )|l)|n- l)p n _!|0) •••|1)|0)|0) 

|/(x))|n)(l - p n )\\)\n - 1)(1 - Pn -i)\l)\n - 2) ( Pn _ 2 |0) + (1 - p n - 2 )|l)) ■ ■ ■ |1)|0)|0) 
|G")|1) 

|/(x)>|n>---|l>X;%-b>|0> + |G/>|l>, 

j 

where qj = YliZii^ ~ Pi)Pj is the probability that the sampler PQS succeeds at the j-th round 
and has failed on all previous rounds. Since the registers that contain the values n to 1 are not 
entangled with f(x) we can ignore them and have 

AP : |/(s)>|0>|0> ~ |/(*)> £ qj \m + \G f )\l) • 

j 

Now we present the garbage- free quantum sampler for the general case where we don't know the 
size of the pre- image for a given f(x). For clarity, we don't explicitly write down all the necessary 
|0) registers in every step and also all the unitaries are performed when the "error flag" is 0. 



ctr 3 -PAP M ,5 



ctr 5 -PAPi,6,7 

+ 
+ 
+ 
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Quantum Sampler, QS(f(x)) 



l/(*)>|0>|0) 

I/(«)>E©|J>|0> + |G} W >|1) 

3 

\m)J2v\ti(vpj\H fiX ))\o) + ^ 7 P3\G% ) ,m)n + \g) {x) )\i) 

3 

j 

where the last step follows from the unitarity of AP\ i.e. from 

\f{x))Y J <l3\m + \G) {x) )W |/(x)>|0>|0> 

3 

l/(*)>EW^U>l°> ^ «|/(x))|0)|0)+/3|G)|l). 

3 

We conclude that a = ((/(*) | £ . <Z;0'|<0| + (G} w |(l|) (|/(*)) ^ <&vW>|0>) = Ej 

It remains to compute the success probability of the Garbage-free Quantum Sampler, i.e to 
calculate the square of the sum ■ l]y/Pj- Proving that it is 1 — o(l), then we obtain a contradiction 
to / being a quantum distributionally one-way function and hence we conclude that g is a quantum 
one-way function. Note that the success probability of the Impagliazzo and Luby sampler is ^ ■ q 3 - 
and Lemma [TJ proves that for j > k = [log \ f~ 1 (f(x))\\ + O(logn) one obtains Y2j>k Qj = ^ ~ 
Here, we have a slightly more complicated expression that can still be shown to be large. 

Lemma 2 The procedure QS is a quantum sampler for f with probability 1 — o(l), i.e. • q^^/p] > 
l-o(l). 

Proof. We are going to bound this sum by showing that there exists a particular m for which the 
term q^^/Pm is 1 — o(l). In order to do so, we slightly change the procedure we described above 
and instead of starting from j = n + logn and decreasing j at each step by 1, we pick a random 
offset r G [log logn], start with j = n + logn + r and decrease j at each step by log logn. Also, let 
k = [log \f~ 1 (f(x))\\ + logn. The values of pj for different j's can be estimated using LemmaQ] 

(1 _ 0(1)) ( 1 _(I^')< P ,< 1 _(I) 2> '. 

First, we bound the probability that the algorithm fails in all the rounds for j = n + logn + r to 
j > k + (1 + e) log logn, where for example e = log ^ log - . Note that at each round j is decreased 
by log log n. Since pj is a decreasing function of j the minimum probability of failure is obtained 



AP 
PQS 

APt 
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for r = and is 



n+logn n+logn / i \ 2 fc_J / i \ 2 _ ( f + e ) log log n 

n p-») ^ n =n(i) 



j=fc+(l+e) log log n j'=fc+(l+e) log log n f> 



n / -^^ \ n J 



P(s) =(;) " 



1)^^ = i_ 0( i). 
n J 

Moreover, for any j £ [k + e log log n,k + (1 — e) log log n] , we have that 

/ -, \ 2-( 1 - e ) lo s 1 °g™ / , \ (logn)-^" 6 ) /.^(logn) 6 

»>!-(-) =!-(-) =l-d). 

Since we pick a random initial offset r £ [1, loglogn], then with probability (1 — 2e) over r the 
algorithm is run for an m £ [k + e log log n, k + (1 — e) log log n] . In this case, we have already shown 
that p m = 1 — o(l) and, moreover, for all previous rounds we have j > ft + (1 + e) log log n and hence 
the probability of failure is Wj >m {^~Pj) = 1 — To sum up, with probability (1 — 2e) = 1 — o(l) 
our algorithm is run for an m such that 

3 3> m 

and therefore the overall success probability of the algorithm is 1 — o(l). □ 



This concludes the proof of Theorem [5] and together with Theorem |4] we have 

Theorem 6 Assume for a classical circuit C , which computes a many-to-one function, the corre- 
sponding CQS problem is hard , i.e. there exists no poly(\C\) size quantum circuit implementing 
QSc- Then there exists a quantum one-way function. 



5 Statistical Zero Knowledge and quantum one-way functions 

The CQS problem has an interesting connection to the classical complexity class of Statistical Zero 
Knowledge (SZK) languages: 

Theorem 7 J1J/ Any language C £ SZK can be reduced to a set of instances of the CQS problem. 

The proof is based on a reduction of the following SZK-complete problem to a quantum sampling 
problem. 

Definition 8 Consider two constants < j3 < a < 1 such that a 2 > j3. Statistical Difference 
(SD a p) is the promise problem of deciding for any two given classical circuits Cq and C\ whether 
their output distributions are close to or far from each other, i. e. whether: 

\\D Co -D Cl \\ > a or \\D Co - D Cl \\ < P ■ 
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It is not hard to see that the above problem can be reduced to the problem of quantum sampling 
the circuits Co and C\. Indeed, if one could efficiently construct the quantum samples \Cq) and 
|Ci), then, by performing a SWAP-test, one could decide whether the two circuit distributions are 
close to or far from each other. Equivalently, the above problem can be reduced to the problem 
of quantum sampling the circuit C = C$ (g> C\ , since a SWAP-test would again decide whether the 
two circuit distributions are close or far. Based on this result, we obtain the quantum analog of 
Ostrovsky's result [H]: 

Theorem 8 Assume there exists a language C £ SZK\ AvgBQP, then quantum one-way functions 
exist. 

Proof. Assume C € SZK x AvgBQP. For every input size n, let {C x } xe { 0tl yi be the set of 
classical circuits which decide L via reduction to the complete language in Definition [HJ Denote 
by m = poly(n) the size of the input to the circuits from this set. Since the language C is not 
in AvgBQP, for any sufficiently large input size n, there exists a samplable distribution D n such 
that for x ~ V n , the language C can not be decided with high probability with a polynomial 
time quantum algorithm. Equivalently there is no polynomial quantum algorithm that produces 
a quantum sample of C x for an average x ~ T> n . We can assume this distribution to be uniform 
[9] and hence we have a uniform family of sets of circuits {{C x } x ^ ijn} ne ]^, such that for any 
polynomial time quantum algorithm Q, any constant e G [0, 1/2), and all sufficiently large n £ N 

Q : \x)\0) i-> c x \x)\C x ) + d x \G x ) , 

with 

^ E kwio» . \*)\c x ))\ 2 = ^ E m 2 < 1 - e • 

X X 

We define the function fc ■ {0, 1}* — ► {0, 1}* such that fc '■ (x, y) i— ► (x, C x (y)) and prove that it is 
a quantum one-way function. We assume that / is one-to-one otherwise from Theorem [5l we can 
obtain the same result. Suppose that the function fc is not one-way, then there exists an inverter 
such that 

I ■ \f(x,y))\0}\0) ^ a }{X)V) \f{x,y))\x)\y) + &/(*,,,) | > 

or equivalently 

I : \x)\C x (y))\0) ' * a f{x , y) \x)\C x (y))\y) + b f(Xty) \G f[x , y) ) , 
where Y, x , y a )(x, y ) - 1 

(the average is taken over x and y) and the a^^'s are positive. 
We start from a uniform superposition of all y and use the inverter to create a circuit that is a 
good-on-average quantum sampler (similar to the proof of Theorem [3|) : 

l*>2S7r£»|o> -t/, \x)^J2 y \y)\c x (y)) 

^swap \z)ykpJly\ c!x (v))\v) 

-J 1^)^72 Z y (af( x ,y)\C*(y))\0) + 6/(^)1^))) = |x)|T m ) , 

and hence for an average x 

^■Ei^i^ii^i^i 2 = ^E'^E a /(^)i 2 - i^r^E a /(^)i 2 

x x y x,y 

x,y ^ ' 
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This is a contradiction and hence the function fc is a quantum one-way. 



□ 



6 Conclusions 

In this paper we prove that the existence of any problem in SZK which is hard-on-average for a 
quantum computer, implies the existence of quantum one-way functions. Our proofs go through the 
problem of quantum sampling. Aharonov and Ta-Shma cast many important problems as quantum 
sampling problems and described a possible way for attacking them. It is, hence, very interesting 
to investigate the real hardness of quantum sampling. We already know that if SZK % AvgBQP 
then there exist hard instances of quantum sampling. Under what other assumptions can one prove 
the existence of hard instances of the CQS problem and consequently quantum one-way functions? 

Furthermore, we saw that our candidate one-way problems include some of the most notorious 
problems in quantum computing, like Graph Non-Isomorphism and approximate Closest Lattice 
Vector problem. Could we construct one-way functions from other problems, such as the hidden 
subgroup problem in the dihedral or other non-abelian groups? 

Last, Watrous [16] proved that computational zero knowledge for NP is implied by the existence 
of quantum one-way permutations. What other implications does the existence of quantum one-way 
functions have? 
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